Night Mode LabsBlue Book
Security Playbooks

Data Protection

Data protection defines how sensitive information is classified, accessed, encrypted, retained, deleted, and audited across systems.

Data classification

Define data classes that are simple enough for teams to use.

Common classes include:

  • Public.
  • Internal.
  • Confidential.
  • Restricted or regulated.

For each class, define storage, transmission, logging, retention, sharing, and access requirements.

Protection controls

  • Encrypt data in transit and at rest.
  • Use managed keys or documented key ownership.
  • Limit access by role, workload, and environment.
  • Mask or avoid sensitive fields in logs.
  • Tokenize or redact data where full values are unnecessary.
  • Define retention and deletion behavior.
  • Monitor privileged access and unusual exports.

Data flow review

Logging rules

Logs should not contain secrets, tokens, passwords, full payment data, protected health information, or other regulated personal data. If logs need identifiers, prefer stable synthetic IDs or redacted values.

Watchouts

  • Non-production environments often leak production data controls.
  • Backups and analytics exports are part of the data boundary.
  • Deletion requirements must include derived data and downstream copies.
  • Access reviews need evidence, not only policy text.

Supply Chain Security

Previous Page

Security Incident Response

Next Page

On this page

Data classificationProtection controlsData flow reviewLogging rulesWatchouts